fix: handle a scratch/busybox/DockerSlim image gracefully #476
Conversation
knqyf263
changed the title
@knqyf263, @simar7 - Would it be reasonable to create a new issue requesting the functionality for detecting the busybox version and CVEs in it to be added? At a quick glance, it appears like it'd be a potentially-okay first issue for somebody to tackle. If I can find some time, I could look at doing so. I just haven't dug into the source that closely yet. Or is the request to detect vulnerable versions of busybox being referenced by this comment: #397 (comment)? |
Signed-off-by: Simarpreet Singh <simar@linux.com>
go.mod
Outdated
| github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b | ||
| github.com/aquasecurity/trivy-db v0.0.0-20200408191531-0a25a37ec16f | ||
| github.com/aquasecurity/trivy-db v0.0.0-20200427223346-73deea114f99 |
There was a problem hiding this comment.
This should be updated to point to master once aquasecurity/trivy-db#42 is merged.
There was a problem hiding this comment.
I fixed it.
10ab9ac
| expectedError: "unable to access the remote image (index.docker.io/library/badimage:latest)", | ||
| expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest): Error: No such image: index.docker.io/library/badimage:latest", |
There was a problem hiding this comment.
@knqyf263 I wasn't able to figure out why this error has changed. Do you know?
There was a problem hiding this comment.
Yes, you can find it here.
https://github.com/aquasecurity/fanal/pull/101/files#diff-525dd35201b72b43ad63b85dd2720ba6R66-R87
Hi @mattlorimor the issue you're looking for is this #397 We would be glad to look into your code if you do decide to make a contribution! Please feel free to send us a pull request. |
|
We don't have the plan to detect vulnerabilties of a self-compiled binary. "self-compile" means a package not installed by package manager such as yum. We support only packages installed by package manager. So, it's difficult to detect vulnerabilities of the busybox binary in a busybox image for now . If a user needs such a feature, I think it should be another issue like "feature request: support packages installed by make". It will support other binaries like the nginx binary in an nginx image. @mattlorimor Yes, as you said, you can open the dedicated issue. |
|
@simar7 Maybe we should leave some comments about our limitation on those issues and close them. Then, it can be tracked by new issue opened by @mattlorimor |
…ty#476) * fix: handle unknown OS and no package errors * chore(mod): update dependencies * integration: add busybox * update depdendencies and fix tests Signed-off-by: Simarpreet Singh <simar@linux.com> * chore(mod): use the latest trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
…ty#476) * fix: handle unknown OS and no package errors * chore(mod): update dependencies * integration: add busybox * update depdendencies and fix tests Signed-off-by: Simarpreet Singh <simar@linux.com> * chore(mod): use the latest trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
* fix: handle unknown OS and no package errors * chore(mod): update dependencies * integration: add busybox * update depdendencies and fix tests Signed-off-by: Simarpreet Singh <simar@linux.com> * chore(mod): use the latest trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
…asecurity#476) * fix: ignore external source prefixes when filtering by file path
Overview
If an image is based on scratch, Trivy ignores a vulnerability scan of OS packages and scans only vulnerabilities of application dependencies. Note that the vulnerability of busybox is not detected.
Related Issues/PRs
Replace #470
Close #8
Close #355
Close #397
Blocker
go mod tidyafter merging the following PRgo mod tidyafter merging the following PRgo get -uafter merging the following PR